SAN = Subject Alternative Name
The following post runs through getting SAN certificates
for use with Clustered ONTAP. The lab environment has Clustered Data ONTAP
8.2.1 and a Windows 2008R2 AD CS Root CA.
What SAN Names do we want in our SSL Certificate
To make life nice and easy, we’ll just request one SAN
certificate for the entire cluster, with everything we could possibly require
in.
We have a simple single node cluster, with the following
LIFs:
NACLU1::>
net int show -field address
vserver lif
address
------- ------------ ------------
NACLU1 cluster_mgmt
10.10.10.110
NACLU1N1
mgmt1 10.10.10.111
NACLU1N1
rep1 10.10.10.121
NASVM1 data1 10.10.10.131
NASVM1 data2 10.10.10.132
In DNS we’ve have the following Forward Lookup Host (A)
entries. In this example, NASVM1.lab.priv has 2 entries in DNS for round-robin
load-balancing.
Name Data ReverseDNS?
----------------------
------------ -----------
NACLU1.lab.priv 10.10.10.110 Yes
NACLU1N1.lab.priv 10.10.10.111 Yes
NACLU1N1-rep1.lab.priv
10.10.10.121 Yes
NASVM1.lab.priv 10.10.10.131 No
NASVM1.lab.priv 10.10.10.132 No
NASVM1-data1.lab.priv 10.10.10.131 Yes
NASVM1-data2.lab.priv 10.10.10.132 Yes
How to Create the Certificate Signing Request for CDOT
Run the command:
NACLU1::>
security certificate generate-csr
-common-name NACLU1.lab.priv -size 2048 -country US -state "" -locality
"" -organization "" -unit "" -email-addr
"it@lab.priv" -hash-function SHA256
Here the common-name is NACLU1.lab.priv (the cluster FQDN name with NETBIOS name in
capitals - doesn’t really matter what the common-name is though since we’re
going to append SAN names to it), the other switches are specific to
organization.
An abridged output of the command is below:
Certificate
Signing Request :
-----BEGIN
CERTIFICATE REQUEST-----
MIICtDCCAZwCAQAwbzEYMBYGA1UEAxMPTkFDTFUxLmxhYi5wcml2MQswCQYDVQQG
...
z+AV+ZyhKSywDNof7Cm6Fa/O8OpLPgHr
-----END
CERTIFICATE REQUEST-----
Private
Key :
-----BEGIN
RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsXJsTx08SEI1+PjGTQvud7F0fxN49GXCw3HNQeLTCEj4VCcM
...
7WEw8Q1Gib8nP/2Axag5u+/w8rAuAqg7nC7ZwUAXdyJkFfmNDE4F
-----END
RSA PRIVATE KEY-----
Note:
Please keep a copy of your certificate request and private key for future
reference.
It is important
to record this output. The ‘CERTIFICATE REQUEST’ section will be provided to
the Certification Authority for generation of the SSL cert. The ‘RSA PRIVATE
KEY’ section will be used later when installing the certificate. Note: You will only see the complete
output one time - if you later run ‘security certificate generate-csr show’
it actually creates a new CSR under the common-name ‘show’.
Copy the contents between -----BEGIN CERTIFICATE
REQUEST----- and -----END CERTIFICATE REQUEST----- into a text file and save as
say CLUSTER.CSR.
Generating the SAN Certificate with 2008 R2 AD CS
Configure the CA to issue SAN certificates using the
following command in the DOS prompt on the CA (if not done so already) and
restart the CA service:
certutil -setreg
policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Then the following command will read the CLUSTER.CSR file
as prepared earlier and add all SAN extensions to it, then output the SAN certificate
as CLUSTER.CER:
certreq -attrib
"CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=10.10.10.110&IPAddress=10.10.10.110&DNS=naclu1n1&DNS=naclu1n1.lab.priv&DNS=naclu1n1-rep1&DNS=naclu1n1-rep1.lab.priv&DNS=nasvm1&DNS=nasvm1.lab.priv&DNS=nasvm1-data1&DNS=nasvm1-data1.lab.priv&DNS=nasvm1-data2&DNS=nasvm1-data2.lab.priv"
CLUSTER.CSR CLUSTER.CER
The above is going overboard on specifying every single
DNS and NETBIOS entry used by the cluster for the SAN cert (and the cluster
management IP address since logs via https://CLUSTERNAME/SPI redirects to https://CLUSTERIP/...)
For the purposes of OCUM connections to the cluster management address, SPI,
and logs via the node address, the following is totally sufficient:
certreq -attrib
"CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=10.10.10.110&IPAddress=10.10.10.110&DNS=naclu1n1&DNS=naclu1n1.lab.priv”
CLUSTER.CSR CLUSTER.CER
Note 1: IE requires
IP Addresses after DNS=, other browsers after IPAddress=, which explains the
cluster management IP address being in there twice.
Note 2: If you’re
having problems inputting the above, and have copied from this post, check the
formatting of the dash and quotation marks especially (delete and retype in
DOS.)
Installing the Certificate in CDOT
Run the command:
NACLU1::>
security certificate install -vserver
NACLU1 -type server
As prompted, copy and paste in the certificate as
contained in the CLUSTER.CER file, and the private key obtained from generating
the CSR earlier.
Then run the following commands to apply the SSL
certificate to the Cluster (Admin) Vserver:
NACLU1::>
security certificate show -vserver NACLU1
NACLU1::>
ssl show -vserver NACLU1
NACLU1::>
ssl modify -vserver NACLU1 -ca lab-MSCSA1-CA -serial 6167DD8400000000000B
-common-name NACLU1.lab.priv
Repeat for the node and data SVMs as required.
Testing the SSL Certificate in CDOT
Test over https://CLUSTER_NETBIOS/spi.
Image: No
certificate error to https://naclu1/spi
Test over the SPI to logs.
Image: No certificate
error to https://10.10.10.110/...
Check the SSL Certificate to see the Subject Alternative
Name entries.
Image: SAN Entries
including IP Address
THE END
Comments
Post a Comment